---
title: Cloud Controller Blobstore Configuration
owner: CAPI
---

<strong><%= modified_date %></strong>

This topic describes the options for configuring a blobstore for the Cloud Controller.

Cloud Controller has four types of objects that need to be stored in a blobstore: <code>buildpacks</code>, <code>droplets</code>, <code>packages</code>, and <code>resource_pool</code>. By default, the blobstore configuration uses the Fog Ruby gem, but can also use the WebDAV protocol.

This document describes five common blobstore configurations: 

* [Fog with AWS Credentials](#fog-aws-creds)
* [Fog with AWS Server Side Encryption](#fog-aws-sse)
* [Fog with AWS IAM Instance Profiles](#fog-aws-iam)
* [Fog with Google Cloud Storage](#fog-gcs)
* [Fog with Azure Storage](#fog-azure)
* [Fog with NFS](#fog-local-nfs)
* [WebDAV](#webdav) internal blobstore

##<a id="fog-aws-creds"></a> Fog with AWS Credentials

To use Fog blobstores with AWS credentials, perform the steps below.

1. Insert the following configuration into your manifest under `properties.cc`:

    ```
    cc:
      buildpacks:
        blobstore_type: fog
        buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET
        fog_connection: &fog_connection
          aws_access_key_id: AWS-ACCESS-KEY
          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
          provider: AWS
          region: us-east-1
      droplets:
        blobstore_type: fog
        droplet_directory_key: YOUR-AWS-DROPLET-BUCKET
        fog_connection: *fog_connection
      packages:
        blobstore_type: fog
        app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET
        fog_connection: *fog_connection
      resource_pool:
        blobstore_type: fog
        resource_directory_key: YOUR-AWS-RESOURCE-BUCKET
        fog_connection: *fog_connection
    ```
1. Replace `AWS-ACCESS-KEY` and `AWS-SECRET-ACCESS-KEY` with your AWS credentials.

1. Replace `YOUR-AWS-BUILDPACK-BUCKET`, `YOUR-AWS-DROPLET-BUCKET`, `YOUR-AWS-PACKAGE-BUCKET`, and `YOUR-AWS-RESOURCE-BUCKET` with the names of your AWS buckets. Do not use periods (`.`) in your AWS bucket names. In the AWS console, you must assign your credentials an IAM policy that allows all S3 actions on all of these buckets. 

1. (Optional) Provide additional configuration through the <code>fog_connection</code> hash, which is passed through to the Fog gem.

##<a id="fog-aws-sse"></a> Fog with AWS Server-Side Encryption

AWS S3 offers Server-Side Encryption at rest. For more information, see <a href="http://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html">Protecting Data Using Server-Side Encryption</a>.

<strong>AWS SSE-S3 blobstore encryption</strong>

1. Insert the following configuration into your manifest under `properties.cc`:

      ```
      cc:
        buildpacks:
          blobstore_type: fog
          buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET
          fog_connection: &fog_connection
            aws_access_key_id: AWS-ACCESS-KEY
            aws_secret_access_key: AWS-SECRET-ACCESS-KEY
            provider: AWS
            region: us-east-1
          fog_aws_storage_options: &fog_aws_storage_options
            encryption: 'AES256'
        droplets:
          blobstore_type: fog
          droplet_directory_key: YOUR-AWS-DROPLET-BUCKET
          fog_connection: *fog_connection
          fog_aws_storage_options: *fog_aws_storage_options
        packages:
          blobstore_type: fog
          app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET
          fog_connection: *fog_connection
          fog_aws_storage_options: *fog_aws_storage_options
        resource_pool:
          blobstore_type: fog
          resource_directory_key: YOUR-AWS-RESOURCE-BUCKET
          fog_connection: *fog_connection
          fog_aws_storage_options: *fog_aws_storage_options
      ```

1. Replace `AWS_ACCESS_KEY` and `AWS_SECRET_ACCESS_KEY` with your AWS credentials.

1. Replace `YOUR-AWS-BUILDPACK-BUCKET`, `YOUR-AWS-DROPLET-BUCKET`, `YOUR-AWS-PACKAGE-BUCKET`, and `YOUR-AWS-RESOURCE-BUCKET` with the names of your AWS buckets. Do not use periods (`.`) in your AWS bucket names. In the AWS console, you must assign your credentials an IAM policy that allows all S3 actions on all of these buckets. 

1. You can provide further configuration through the <code>fog_connection</code> hash, which is passed through to the Fog gem.

1. `fog_aws_storage_options` takes a hash with the key `encryption`. Operators can set its value to a type of encryption algorithm. In the configuration information above, `encryption` is set to `AES256` to enable AWS SSE-S3 encryption. 

1. You can provide further configuration through the `fog_aws_storage_options` hash, which is passed through to the Fog gem.

<strong>AWS SSE-KMS blobstore encryption</strong>

1. Obtain your KMS Key ID. For information about managing KMS keys, see the <a href='http://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html'>AWS Key Management Service Getting Started guide.</a>

1. Insert the following configuration into your manifest under `properties.cc`:

      ```
      cc:
        buildpacks:
          blobstore_type: fog
          buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET
          fog_connection: &fog_connection
            aws_access_key_id: AWS-ACCESS-KEY
            aws_secret_access_key: AWS-SECRET-ACCESS-KEY
            provider: AWS
            region: us-east-1
          fog_aws_storage_options: &fog_aws_storage_options
            encryption: 'aws:kms'
            x-amz-server-side-encryption-aws-kms-key-id: "YOUR-AWS-KMS-KEY-ID"
        droplets:
          blobstore_type: fog
          droplet_directory_key: YOUR-AWS-DROPLET-BUCKET
          fog_connection: *fog_connection
          fog_aws_storage_options: *fog_aws_storage_options
        packages:
          blobstore_type: fog
          app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET
          fog_connection: *fog_connection
          fog_aws_storage_options: *fog_aws_storage_options
        resource_pool:
          blobstore_type: fog
          resource_directory_key: YOUR-AWS-RESOURCE-BUCKET
          fog_connection: *fog_connection
          fog_aws_storage_options: *fog_aws_storage_options
      ```

1. Replace `AWS-ACCESS-KEY` and `AWS-SECRET-ACCESS-KEY` with your AWS credentials. 

1. Replace `YOUR-AWS-BUILDPACK-BUCKET`, `YOUR-AWS-DROPLET-BUCKET`, `YOUR-AWS-PACKAGE-BUCKET`, and `YOUR-AWS-RESOURCE-BUCKET` with the names of your AWS buckets.  Do not use periods (`.`) in your AWS bucket names. In the AWS console, you must assign your credentials an IAM policy that allows all S3 actions on all of these buckets. 

1. You can provide further configuration through the <code>fog_connection</code> hash, which is passed through to the Fog gem.

1. Replace `YOUR-AWS-KMS-KEY-ID` with your KMS Key ID. 

1. `fog_aws_storage_options` takes a hash with the key `encryption`. Operators can set its value to a type of encryption algorithm. In the configuration information above, `encryption` is set to `aws:kms` to enable AWS SSE-KMS encryption. 

1. You can provide further configuration through the `fog_aws_storage_options` hash, which is passed through to the Fog gem.

##<a id="fog-aws-iam"></a> Fog with AWS IAM Instance Profiles

To configure Fog blobstores to use <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html">AWS IAM Instance Profiles</a>, perform the steps below.

1. Insert the following configuration into your manifest under `properties.cc`:

    ```
    cc:
      buildpacks:
        blobstore_type: fog
        buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET
        fog_connection: &fog_connection
          provider: AWS
          region: us-east-1
          use_iam_profile: true
      droplets:
        blobstore_type: fog
        droplet_directory_key: YOUR-AWS-DROPLET-BUCKET
        fog_connection: *fog_connection
      packages:
        blobstore_type: fog
        app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET
        fog_connection: *fog_connection
      resource_pool:
        blobstore_type: fog
        resource_directory_key: YOUR-AWS-RESOURCE-BUCKET
        fog_connection: *fog_connection
    ```
1. Replace `YOUR-AWS-BUILDPACK-BUCKET`, `YOUR-AWS-DROPLET-BUCKET`, `YOUR-AWS-PACKAGE-BUCKET`, and `YOUR-AWS-RESOURCE-BUCKET` with the names of your AWS buckets. Do not use periods (`.`) in your AWS bucket names. 

1. To provide further configuration, create a <code>fog_connection</code> hash to pass through to the Fog gem.

1. Complete the steps documented in the <a href="http://bosh.io/docs/aws-iam-instance-profiles.html#director-with-s3-blobstore">AWS CPI and Director configured with an S3 blobstore instructions</a> section of the BOSH documentation.

1. In the AWS console, configure an additional <code>cloud-controller</code> IAM role that gives access to both the BOSH S3 buckets and the Cloud Controller S3 buckets specified in your manifest:

    ```
    {
      "Version": "2012-10-17",
      "Statement": [{
        "Effect": "Allow",
        "Action": [ "s3:*" ],
        "Resource": [
          "arn:aws:s3:::BOSH_BUCKET_NAME",
          "arn:aws:s3:::BOSH_BUCKET_NAME/*",
          "arn:aws:s3:::YOUR-AWS-BUILDPACK-BUCKET",
          "arn:aws:s3:::YOUR-AWS-BUILDPACK-BUCKET/*",
          "arn:aws:s3:::YOUR-AWS-DROPLET-BUCKET",
          "arn:aws:s3:::YOUR-AWS-DROPLET-BUCKET/*",
          "arn:aws:s3:::YOUR-AWS-PACKAGE-BUCKET",
          "arn:aws:s3:::YOUR-AWS-PACKAGE-BUCKET/*",
          "arn:aws:s3:::YOUR-AWS-RESOURCE-BUCKET",
          "arn:aws:s3:::YOUR-AWS-RESOURCE-BUCKET/*",
        ]
      }]
    }
    ```
If you use the AWS console, an IAM Role is automatically assigned to an IAM Instance Profile with the same name, <code>cloud-controller</code>. If you do not use the AWS console, you must create an IAM Instance Profile with a single assigned IAM Role.

1. In your Cloud Foundry deployment manifest, configure a resource pool to use the <code>cloud-controller</code> IAM Instance Profile:

    ```
    resource_pools:
    - name: cloud-controller-resource-pool
      network: default
      stemcell: { ... }
      cloud_properties:
        instance_type: c3.large
        iam_instance_profile: cloud-controller
    ```
1. Assign all Cloud Controller jobs, identified by <code>api\_z\*</code>, and Cloud Controller Worker jobs, identified by <code>api\_worker\_z\*</code>, to the <code>cloud-controller-resource-pool</code>.

##<a id="fog-gcs"></a>Fog with Google Cloud Storage

To configure your blobstores to use Google Cloud Storage Interoperability credentials, perform the steps below.

1. Insert the following configuration into your manifest under `properties.cc`:

    ```
    cc:
      buildpacks:
        blobstore_type: fog
        buildpack_directory_key: YOUR-GCS-BUILDPACK-BUCKET
        fog_connection: &fog_connection
          provider: Google
          google_storage_access_key_id: GCS-ACCESS-KEY
          google_storage_secret_access_key: GCS-SECRET-ACCESS-KEY
      droplets:
        blobstore_type: fog
        droplet_directory_key: YOUR-GCS-DROPLET-BUCKET
        fog_connection: *fog_connection
      packages:
        blobstore_type: fog
        app_package_directory_key: YOUR-GCS-PACKAGE-BUCKET
        fog_connection: *fog_connection
      resource_pool:
        blobstore_type: fog
        resource_directory_key: YOUR-GCS-RESOURCE-BUCKET
    ```

1. Create an Interoperability key using the [GCP instructions](https://cloud.google.com/storage/docs/migrating#keys).

1. Replace `GCS-ACCESS-KEY` and `GCS-SECRET-ACCESS-KEY` with your Cloud Storage credentials.

1. Replace `YOUR-GCS-BUILDPACK-BUCKET`, `YOUR-GCS-DROPLET-BUCKET`, `YOUR-GCS-PACKAGE-BUCKET`, and `YOUR-GCS-RESOURCE-BUCKET` with the names of your Cloud Storage buckets. Do not use periods (`.`) in your bucket names. 

1. You can provide further configuration through the <code>fog_connection</code> hash, which is passed through to the Fog gem.

##<a id="fog-azure"></a>Fog with Azure Storage

To configure your blobstores to use Azure Storage credentials, perform the steps below.

1. Insert the following configuration into your manifest under `properties.cc`:

    ```
    cc:
      buildpacks:
        blobstore_type: fog
        buildpack_directory_key: YOUR-AZURE-BUILDPACK-CONTAINER
        fog_connection: &fog_connection
          provider: AzureRM
          environment: AzureCloud
          azure_storage_account_name: YOUR-AZURE-STORAGE-ACCOUNT-NAME
          azure_storage_access_key: YOUR-AZURE-STORAGE-ACCESS-KEY
      droplets:
        blobstore_type: fog
        droplet_directory_key: YOUR-AZURE-DROPLET-CONTAINER
        fog_connection: *fog_connection
      packages:
        blobstore_type: fog
        app_package_directory_key: YOUR-AZURE-PACKAGE-CONTAINER
        fog_connection: *fog_connection
      resource_pool:
        blobstore_type: fog
        resource_directory_key: YOUR-AZURE-RESOURCE-CONTAINER
        fog_connection: *fog_connection
    ```

1. Replace `YOUR-AZURE-STORAGE-ACCOUNT-NAME` and `YOUR-AZURE-STORAGE-ACCESS-KEY` with your Azure Storage credentials.

1. Replace `YOUR-AZURE-BUILDPACK-CONTAINER`, `YOUR-AZURE-DROPLET-CONTAINER`, `YOUR-AZURE-PACKAGE-CONTAINER`, and `YOUR-AZURE-RESOURCE-CONTAINER` with the names of your Cloud Storage containers. 

1. You can provide further configuration through the <code>fog_connection</code> hash, which is passed through to the Fog gem.

##<a id="fog-local-nfs"></a>Fog with NFS

To configure your blobstores to use an NFS-mounted directory, perform the steps below.

1. Insert the following configuration into your manifest under `properties.cc`:

    ```
    cc:
      buildpacks:
        blobstore_type: fog
        buildpack_directory_key: YOUR-BUILDPACK-DIRECTORY-PREFIX
        fog_connection: &fog_connection
          provider: Local
          local_root: LOCAL_DIR_TO_MOUNT
      droplets:
        blobstore_type: fog
        droplet_directory_key: YOUR-DROPLET-DIRECTORY-PREFIX
        fog_connection: *fog_connection
      packages:
        blobstore_type: fog
        app_package_directory_key: YOUR-PACKAGE-DIRECTORY-PREFIX
        fog_connection: *fog_connection
      resource_pool:
        blobstore_type: fog
        resource_directory_key: YOUR-RESOURCE-DIRECTORY-PREFIX
        fog_connection: *fog_connection
    ```

1. Replace `YOUR-BUILDPACK-DIRECTORY-PREFIX`, `YOUR-DROPLET-DIRECTORY-PREFIX`, `YOUR-PACKAGE-DIRECTORY-PREFIX`, and `YOUR-RESOURCE-DIRECTORY-PREFIX` with the names of the directories you will be using. If you do not specify these, Cloud Foundry will supply usable default values.

1. (Optional) Provide other configuration with the `fog_connection` hash, which is passed through to the Fog gem.

1. Configure the `nfs_mounter` job for the `cloud_controller_ng`, `cloud_controller_worker`, and `cloud_controller_clock` instance groups. The `nfs_mounter` job specifies how to mount a remote NFS server onto a local directory.

    ```
    name: nfs_mounter
      properties:
        nfs_server:
          address: NFS-ENDPOINT
          share: REMOTE-DIR-TO-MOUNT
          share_path: LOCAL-DIR-TO-MOUNT
          nfsv4: false
      release: capi
   ```

Replace the placeholder text in the example above with the values you want to use. Sample values:

- `NFS-ENDPOINT`: `nfstestserver.service.cf.internal`
- `REMOTE-DIR-TO-MOUNT`: `/var/data/exported`
- `LOCAL-DIR-TO-MOUNT`: `/var/vcap/nfs`

##<a id="webdav"></a>WebDAV

To configure your blobstores to use the WebDAV protocol, perform the steps below.

1. Ensure your deployment manifest has a single instance of the blobstore job. For a working example, see the [example bosh-lite manifest](https://github.com/cloudfoundry/cf-release/blob/49a94e2/spec/fixtures/bosh-lite/cf-manifest.yml#L297-L329).

1. Insert the following configuration into your manifest under `properties.blobstore` and `properties.cc`:

    ```
    blobstore:
      admin_users:
      - password: WEBDAV-BASIC-AUTH-PASSWORD
        username: WEBDAV-BASIC-AUTH-USER
      port: 8080
      secure_link:
        secret: WEBDAV-SECRET
      tls:
        cert: WEBDAV-CERT
        port: 4443
        private_key: WEBDAV-PRIVATE-KEY
        ca_cert: WEBDAV-CA-CERT-BUNDLE
    cc:
      buildpacks:
        blobstore_type: webdav
        buildpack_directory_key: cc-buildpacks
        webdav_config: &webdav_config
          public_endpoint: WEBDAV-PUBLIC-ENDPOINT
          private_endpoint: WEBDAV-PRIVATE-ENDPOINT
          username: WEBDAV_BASIC-AUTH-USER
          password: WEBDAV_BASIC-AUTH-PASSWORD
          ca_cert: WEBDAV-CA-CERT-BUNDLE
      droplets:
        blobstore_type: webdav
        droplet_directory_key: cc-droplets
        webdav_config: *webdav_config
      packages:
        blobstore_type: webdav
        app_package_directory_key: cc-packages
        webdav_config: *webdav_config
      resource_pool:
        blobstore_type: webdav
        resource_directory_key: cc-resources
        webdav_config: *webdav_config
    ```

1. Configure your WebDAV blobstores by performing the following steps:
      * Replace <code>WEBDAV-BASIC-AUTH-USER</code> and <code>WEBDAV-BASIC-AUTH-PASSWORD</code> with Basic AUTH credentials that Cloud Controller can use to communicate with your WebDAV installation.
      * Replace <code>WEBDAV-SECRET</code> with a secret phrase used to sign URLs.
      * Replace <code>WEBDAV-CERT</code>, <code>WEBDAV-PRIVATE-KEY</code>, and <code>WEBDAV-CA-CERT-BUNDLE</code> with proper TLS configuration that are used for the internal blobstore.
      * Replace <code>WEBDAV-PUBLIC-ENDPOINT</code> with the public URL that resolves to your WebDAV installation. For example, `https://blobstore.SYSTEM-DOMAIN.example.com`.
      * Replace <code>WEBDAV-PRIVATE-ENDPOINT</code> with a routable URL on your internal network. If not set, this defaults to `https://blobstore.service.cf.internal:4443`.
      * Replace <code>WEBDAV-BASIC-AUTH-USER</code> and <code>WEBDAV-BASIC-AUTH-PASSWORD</code> with Basic AUTH credentials that Cloud Controller can use to communicate with your WebDAV installation.

1. Create a <code>webdav_config</code> hash to provide further configuration.
